Publish the Standardized EKS cluster and container resources using AWS Service Catalog

The pace of application development in modern cloud native environments is continuing to grow faster along with business innovation. Many companies are having difficulty figuring out how to maintain their governance best practices and compliance requirements while sustaining agile innovation culture.

AWS Service Catalog lets you achieve consistent governance while team members can easily get the necessary AWS resources.

Your organization may require the teams to have independent EKS clusters with every required compliance setting. You may also have some business users who require an application with minimal request and approval processes. Furthermore, there are developers who need standardized CI/CD Pipelines ready without worrying about the individual pipeline steps, so that they can focus on the application.

This post will demonstrate how to deploy a standardized EKS cluster — for example, container resources using Helm and sample CI/CD pipeline using AWS Service Catalog. To deploy the required AWS Service Catalog resources, we will utilize the AWS Cloud Development Kit (CDK). The AWS CDK lets you define your cloud application resources by using familiar programming languages, with AWS CloudFormation as the backend. We will start by setting the environment for AWS CDK. Other than that, background knowledge about SSH and Github is recommended in order to follow this demo.

Overview

EKS SC Blog Overview Image1

This solution is comprised of four main parts.

  1. AWS Service Catalog enables the self-service capability of your end user, such as developers, data scientists, or business users. Under the Portfolio of AWS Service Catalog, define the set of standardized Products—a combination of multiple AWS Services and Kubernetes resources. In this post, we use three Products:
    • Standardized EKS cluster.
    • Kubernetes resource to spin up a WordPress website
    • CI/CD Pipeline for the developers to deploy to a certain EKS cluster.
  2. As the first product, an EKS cluster will be provisioned. This product asks the key parameters to configure the cluster how you designed it. We will utilize the standard AWS EKS QuickStart template as an example.
  3. Then we will provision a predefined Helm chart that deploys WordPress as an example in order to demonstrate how to publish container resources in a Kubernetes environment using the AWS Service Catalog. Helm is a package manager for Kubernetes that helps you define, install, and upgrade even the most complex Kubernetes application.
  4. Lastly, the container code pipeline, including AWS CodePipeline and Amazon Elastic Container Registry (Amazon ECR), will be deployed as the last product. This lets developers deploy a standardized CI/CD pipeline targeting a specific EKS cluster in a self-service fashion. AWS CodePipeline is a fully managed, continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. The pipeline stores container images built from the predefined stages using Amazon ECR. This is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images and artifacts anywhere.

DevOps pipeline solution to deploy containerized application using Amazon EKS

We will walk you through how to deploy every listed component into your AWS account step by step. Before we dive into the details, let’s see how the whole demonstration goes.

  1. First, clone a GitHub repository. This GitHub repository hosts the AWS CDK application and a README guide. Clone this repository in order to have the basic setting of the AWS Service Catalog—Portfolio, Products, and Launch Roles.
  2. Once you clone the repository and the AWS CDK tools ready, you will run cdk deploy in order to deploy the listed AWS Service Catalog resources to your account.
  3. AWS CloudFormation will do provisioning jobs on behalf of your cdk cli action. When the deployment is completed, the CloudFormation output will be printed in your terminal. After this step, validate the deployment in the AWS Management Console.
  4. To test the Products as one of the end users, you will assume an IAM Role and create the Products.

Installing Pre-requisites

The walkthrough is based on the North Virginia region (us-east-1). As an administrator of the AWS operation, you will create AWS Service Catalog resources by using AWS CDK.

  • Install every required tool for today’s demonstration

# Install TypeScript globally for CDK
npm i -g typescript

# If you are running these commands in Cloud9 or already have CDK installed, then skip this command
npm i -g [email protected]

Note: In the following walkthrough, we assume you have already configured AWS credentials in your terminal. If you have not done this, then find the instructions to configure the files using CLI on this link.

  • Deploy a CustomResource to provision Helm Charts:
aws cloudformation create-stack \ --stack-name awsqs-kubernetes-helm-resource \ --capabilities CAPABILITY_NAMED_IAM \ ----template-url https://s3.amazonaws.com/aws-quickstart/quickstart-helm-resource-provider/deploy.template.yaml
  • Clone the demo CDK application and deploy the CDK application into your account:
git clone https://github.com/yjw113080/eks-servicecatalog-cdk.git
cd eks-servicecatalog-cdk
npm i && npm run build ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
cdk bootstrap aws://$ACCOUNT_ID/us-east-1
cdk deploy --require-approval never

When the cdk application is successfully deployed, you will see the completion message from your terminal. Find the ARN of IAM Role named enduserarn which you would assume to test Service Catalog Portfolio:

Verify the created AWS Service Catalog resources

As the end user of the AWS Service Catalog, you will go through the process of creating the Products provided by the administrator.

1. Use the output to assume the role. When you click your login information in the upper right corner, you will see Switch Role. Once you click it, you will see the following console where you can supply the information of the IAM Role you are trying to assume.

Note: Put the Role name, not full ARN in the Role field.

2. When you have successfully assumed the role, go to the AWS Service Catalog console where you will see the following products ready:

Create a standardized EKS cluster using AWS Service Catalog

This step provisions 1 new VPC and 4 new Elastic Ips for NAT Gateways and Bastion host. Please ensure that you have required IAM permissions, account limits and access to  create those resources.

  • Click EKS Cluster to provision the cluster first. Once you click it, you will see the Product details page. Click Launch Product.

  • Insert the name of the Product you are trying to create, or click the checkbox to auto-generate the product name.

  • Scroll down to the Parameters. You will see the options for customizing your EKS cluster. What you can customize is determined by the AWS Service Catalog administrator.

Note: We will skip the version panel, since we only have one version.

  • Insert the basic configuration for your EKS cluster as described in the screen shot. In this demo, I used three Availability Zones in the North Virginia Region (us-east-1). For testing purposes, I also allowed all IP addresses in CIDR range to have access to my instance, but this is never recommended for all production environments. For Allowed external access CIDR, type 0.0.0.0/0 for the convenience of the test. In the production environment, please ensure that it falls into your organization’s security policy. Then, specify the SSH Key to use when accessing the EC2 Instances used for the EKS cluster.

Then, in the Amazon EKS configuration, enable EKS public access endpoint for AWS CodePipeline in order to conduct the deployment on your developer’s behalf.

Proceed to the next step. I strongly recommend reviewing the options provided by AWS Quickstart, and utilizing it as a possible method for shipping your standard applications into the EKS cluster and to the actual end users in your organization.

  • Scroll down to the end of the page, then click Launch product.

Once you click Launch product, you will see that a product has been created that deploys AWS resources on your behalf. If you scroll down to the Event tab, you will see the ARN of the AWS CloudFormation stack. You can track the progress when you click the CloudFormation link. This may take over 30 minutes to provision every resource. Feel free to have a coffee break.

When the resources are ready, the CloudFormation output will be in the Product detail page of the AWS Service Catalog menu. Note the EKSClusterName so that you can use it for the other two Products.

By launching the EKS Cluster Product, you have created the following resources:

Access the EKS cluster by accessing the bastion host and utilizing this to test the pipeline:

Want to check out the provisioned EKS cluster? Log in to the bastion host using the IP address in the ouput section. Use the ssh key that you specified. You can see the result appear as the following screenshot when you run kubectl get node.

Deploy WordPress application over the created EKS cluster

Next, let’s deploy Container resources over the cluster using Helm Charts. Go back to the Product list, then click WordPress on EKS cluster. When you see the Product detail page, click Launch Product.

Type the product name that you will provision, then scroll down to the Parameter panel. You will be asked to type the EKS cluster’s name where your WordPress should be located. Input the noted EKS Cluster Name that we just created out of the AWS Service Catalog Product. Then, scroll down to click Launch product.

Once the provisioning tasks are completed, you can see the product status has changed to Available. Let’s see if it’s true. Go back to the ssh session and to the bastion host. Check the newly added Kubernetes resources by running kubectl get pod.

Since we now know that the Kubernetes resources were successfully created, let’s see if the new WordPress application actually works. Run kubectl get svc and find the loadbalancer URL of the WordPress application.

Copy and paste the LoadBalancer’s URL into your web browser, and you will see the WordPress application! As the business user, you can successfully deploy the application under the administrator’s control.

Note: It takes several minutes to create the load balancer.

Creating the CI/CD Pipeline

Lastly, create a pipeline for the developer’s new project, including AWS CodeCommit repository and Amazon Elastic Container Registry.

1. Go back to the Product list, then click CodePipeline with CodeCommit. When you see the Product detail page, click Launch product.

2. Fill the information fields with Cluster name, IAM Role, and CodeCommit repository information.

  • First, input the name of the EKS cluster that will be the target of the pipeline’s final deployment.
  • In order for the pipeline to create the required container resources in the Kubernetes cluster, it needs the proper authentication level. In this demo, we will use the CDK stack output where we provisioned AWS Service Catalog. You will find the launchrole ARN in your terminal.

  • Input the name of the CodeCommit repository in order to host the application.

3. Once all of the resources are created, you can see the following output from the Product detail page:

Make a note of the the CodeCommitRepository for the next step.

4. If you click the pipeline output value, then you will see the failed CodePipeline if provisioned. This is because the source CodeCommit repository is also newly created, meaning it does not have any commit for the pipeline to track.

5. To test the pipeline, make the bastion host accessible to AWS CodeCommit repositories by following the steps below:

  • Copy the RoleName out of the printed result after running
aws iam list-roles | grep BastionRole
  • Execute the following command

aws iam attach-role-policy --role-name <<BastionRole RoleName>> --policy-arn arn:aws:iam::aws:policy/AWSCodeCommitPowerUser

6. Paste the following commands in the terminal where your SSH session is alive:

git config --global credential.helper '!aws codecommit credential-helper [email protected]'
git config --global credential.UseHttpPath true git clone https://github.com/yjw113080/aws-cdk-multi-region-sample-app
git clone <<CodeCommitRepository>> codecommit # replace <<CodeCommitRepository>> with the product output from the console.
cp -R aws-cdk-multi-region-sample-app/* codecommit/
cd codecommit
git add .
git commit -m "initial commit"
git push

If you head to the AWS CodePipeline console by using the product output, then you will see the pipeline is triggered by the commands in the code block above.

Once the pipeline is completed, you will be able to see the newly created Kubernetes resource by running kubectl get all in the SSH session.

Copy the EXTERNAL-IP of service/hello-py and paste it to the browser. You will see the deployed source code is successfully deployed.

Cleanup

To avoid ongoing charges, complete the following steps in order to delete the resources provisioned in this post.

    1.  As the end user or developer, from the AWS Service Catalog console, go to the Provisioned products list to terminate the provisioned resources. Terminate the products one at a time, in the reverse order of provisioning.
        • CodePipeline with CodeCommit
        • WordPress on EKS cluster
        • EKS Cluster
    2. For each product, from Actions, choose Terminate, type terminate, and then choose Terminate.
    3. When all of the provisioned products are deleted, destroy AWS Service Catalog resources by running cdk destroy in the terminal where you ran cdk deploy.

If you have decided to launch the resource using AWS CloudFormation, then go to the console using this link and delete the created Stack.

Conclusion

This post demonstrated how to deploy AWS Service Catalog by using AWS CDK, and how it can help standardize your EKS cluster and related resources, including Kubernetes resources and CI/CD Pipeline. With AWS Service Catalog, you can help your end users easily get the IT resources and maintain the pace of innovation without breaking any of your organization’s governance best practice and compliance requirements.

About the author

Jiwon Yeom is a Solutions Architect with technical expertise in containers and DevOps fields. She is currently helping customers innovate with AWS services in Seoul, South Korea. Outside of work, she reads books and writes about her career journey